I have a PayPal listener that gets an HTTP POST request from PayPal (or the PayPal documentation seems to indicate that's what they send), the listener sends back the information for verification by PayPal, and then if the information is verified, it does database transactions. This is the normal PayPal IPN process and the verification part works fine.

One of the values in the POST array that I get from PayPal is something that I am passing through to keep track of the transaction number. So I make a call that looks like: (not actual code; I am fully aware of SQL injection)

UPDATE transactions SET status='paid' WHERE id=$_POST['invoice']

The problem: If I fake the input by pointing a form with some inputs to my listener everything works fine, but if I get a real POST array from PayPal the database doesn't run. I know the $_POST['invoice'] variable is set when I get the real PayPal data, I've tested that, and it has a valid value, like 84, so I don't know why my transaction doesn't execute. The lines above and below the transaction both execute.

Maybe I'll have to post my actual code, but is it possible that PHP could be configured in some way that it wouldn't run transactions when it gets a request from PayPal? Like I said, I think PayPal is sending an HTTP POST request so it should be indistinguishable from my fake form, but something is wrong.

We'll need to see some exact code surrounding the sql query. Chances are that the query has a syntax error in it (when the data from PayPal is inserted). Check your error log.
–
John V.Aug 18 '12 at 21:08

I doubt the usefulness of the code but $conditionArray = array('transaction' => $invoice_number); $fields = array('status' => 'Paid'); $transactions->changeFields($conditionArray, "AND", $fields); The first line has the invoice number that I know I am getting from paypal. The second line is how I want to update the table entry. The third line is me calling a convoluted function, but I know the function works because if $invoice_number is spoofed this works. The lines above and below this send me emails which is how I know $invoice_number is set.
–
The Q CS or GSAug 19 '12 at 16:03

@LawrenceCherone it is a live server
–
The Q CS or GSAug 19 '12 at 16:04

@AlexLunix I actually can't check the error log, but I'll ask someone who can, and hopefully that will lend some insights, if it has anything helpful I'll post it back here, thanks!
–
The Q CS or GSAug 19 '12 at 16:05

2 Answers
2

PayPal's IPN's can contain arrays, which are not handled very well by php when reading from the $_POST variable. It's possible that this is tripping up your handler (In this case, you will need to read and manipulate the raw data) .

If possible try to read the raw incoming data and compare against your simulated data, as others have suggested.

The notify URL was set to point at the listener in the development database. So I got the emails indicating that the POST['invoice'] variable was set, but all the transactions were run on the development database